Lots of interesting posts this week, with a general theme of security. From securing GitHub organisations, research on developer education, an SBOM primer and recent software supply chain issues. Plus posts on WHOIS, service operations and team building to round things out.
StackHawk sponsors Devops Weekly
StackHawk just made it even easier to get started with automated security testing with the new StackHawk CLI. Watch the technical demo and get started with just a few commands from your terminal.
An interesting presentation with lots of collected research on helping developers adopt secure development practices.
Building teams is a big part of operating complex systems. This post looks at the cost of attrition, focusing on the often hidden communication cost.
A quick take on the issue this last week with NPM around the malicious release of a popular package, with some recommendations relevant to other package ecosystems and those releasing software.
“The WHOIS protocol is one of the older internet protocols around. It’s infuriatingly simple, by and large considered obsolete, and the data provided by it is unpredictable, unreliable, incomplete, and, of course, still one of the cornerstones of internet operations.”
A nice primer on SBOMs (Software Bill of Materials), explaining why the recent interest and most interestingly looking at wider ecosystem integrations coming.
A handy post on securing a GitHub organisation, from configuring with code to permissions, authentication, external users, audit logs and more.
CI pipelines are critical systems, but can be fragile without any form of testing in place. Here’s a handy post on testing and linting GitHub Actions to catch common mistakes.
A discussion of some of the pros and cons of centralised and decentralised responsibility for service operations.My experience is that what works changes over time, so being explicit and conscious of the approach is the important part.
A toolchain for keeping a set of container images for upstream software automatically updated using GitHub Actions.